WatchGuard Firebox / Fireware OS iked Out‑of‑Bounds Write

A remotely exploitable out‑of‑bounds write in the IKE/IKEv2 handler (iked) of WatchGuard Firebox/Fireware OS can be triggered by specially crafted IKEv2 packets, potentially enabling unauthenticated code execution on vulnerable devices. Affected releases include Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3, and 2025.1; 11.x is end‑of‑life, and patches are available for supported branches. A PoC was made public on  October 16.

Successful exploitation can yield full device compromise (persistent shell, configuration theft, VPN credential exposure), allow attackers to decrypt or intercept VPN traffic, pivot into internal networks, and persist in a trusted security appliance — outcomes that lead directly to data theft, lateral movement and long dwell times. 

While there is no report of active exploitation, the reach and importance of WatchGuard’s devices makes identifying and patching vulnerable instances urgent, given attackers commonly will seek to weaponize flaws after disclosure. 

Find and fix urgent exploitation risk with Rapid Response

Stop Guessing, Start Proving

NodeZero^® Platform

Implement a continuous find, fix, and verify loop with NodeZero

The NodeZero^® platform empowers your organization to reduce your security risks by autonomously finding exploitable weaknesses in your network, giving you detailed guidance around how to priortize and fix them, and having you immediately verify that your fixes are effective.

Explore NodeZero